发表新帖
发表新帖

htaccess - using password OR ip whitelist

后端 未结
关注
3 1960
盖世英雄少女心
盖世英雄少女心 2021-01-30 08:46

So I want to restrict access to a url. Now if they are coming from a given IP address then they shouldn\'t be prompted for a password. If they are not coming from a givin IP a

相关标签:
3条回答
  • 爱一瞬间的悲伤
    2021-01-30 09:24

    You can use the Apache "Satisfy" directive.

    Here is an example of using it : 

    AuthType Basic
AuthName "Please Log In"
AuthUserFile /some/path/.htpasswd
Require valid-user
Order deny,allow
Deny from all
Allow from 127.0.0.1
Satisfy any

    Access without password is only allowed from 127.0.0.1.

    Hope this helps.

    0 讨论(0)
  • 一个人的身影
    2021-01-30 09:27

    With Apache 2.4 Satisfy is still available, but deprecated

    Note

    The directives provided by mod_access_compat have been deprecated by mod_authz_host. Mixing old directives like Order, Allow or Deny with new ones like Require is technically possible but discouraged. This module was created to support configurations containing only old directives to facilitate the 2.4 upgrade. Please check the upgrading guide for more information.

    In your case Allow from 1.2.3.4 is replaced by Require ip 1.2.3.4

    Combining several Requires (like Require valid-user and Require ip) can be done by Authorization Containers. So saying the client must either provide a password or come from a specific IP address, would be done by surrounding the directives with RequireAny, e.g.

    <RequireAny>
    Require valid-user
    Require ip 1.2.3.4
</RequireAny>

    Although, this is a special case as described at the end of Require

    When multiple Require directives are used in a single configuration section and are not contained in another authorization directive like <RequireAll>, they are implicitly contained within a <RequireAny> directive. Thus the first one to authorize a user authorizes the entire request, and subsequent Require directives are ignored.

    In other words, RequireAny is optional here, and you can just list

    Require valid-user
Require ip 1.2.3.4
    0 讨论(0)
  • 温柔的废话
    2021-01-30 09:28

    This workes perfect for me:

    AuthType Basic
AuthName "myserver publicname"
AuthUserFile "/myserverpath/.htpasswds/public/passwd"
require ip 100.12.255.233
require valid-user

    Note: Just placed 'require ip' with 'my example ip' before 'require valid-user' and it does the trick. I can log in from my ip without password requested, but if I access from other locations or my mobile devices I need the password.

    To set 'Satisfy any' was NOT GOOD FOR ME (!), because it disabled other .htaccess settings in lower hierarchy of my app and made my site insecure.

    0 讨论(0)
 看不清?
提交回复
热议问题